Data Transfer Security – Not so safe

A Historical Society (the ICO haven’t released the name of which one) has been fined after a laptop was stolen, holding sensitive personal data on those who had donated or loaned artefacts. The laptop was unencrypted and the ICO found that there were no policies in place when it came to encryption or homeworking. The organisation was fined just £500 to be reduced to £400 if paid early. Not much of a punishment if you ask me – who doesn’t encrypt sensitive personal data now-a-days??

This announcement was released less than a week after Essex, Suffolk and Norfolk had fallen into a debacle where thousands of highly sensitive medical records were lost in transit between GP surgeries. It seems extraordinary that, even in this age of drones and virtual reality, doctors’ surgeries are still using hard copy of our medical records which, if you change practices, have to be physically picked up from your old doctor’s surgery and transferred to your new GP.

Just imagine moving house – it’s very exciting, and stressful and can be overwhelming. Whether you are just moving down the road or across counties, you have the worry of unpacking, making your new house a home, changing your address on things like your driver’s license, bank account etc. You also have to think about changing your dentist and of course your doctor.

Capita, an outsourced company, took on the national £400 million, 7 year NHS contract in September last year to do a number of things, including transferring patient notes from one GP practice to another. It has just been reported that over 9,000 patient records have gone missing in the last couple of months across East Anglia alone. The GPC (the General Practitioners Committee) ran a survey of 281 practices and found that just under a third had received the wrong patient notes, over a quarter of practices failed to have records collected from them on the agreed date with Capita and over 80% of urgent requests for records were not processed within 3 weeks.

The NHS is always under scrutiny for something but when they don’t have the correct information for their patients, it makes you feel a little sorry for them.

The main question on my mind is why are there still physical records for such sensitive information like your medical history? The target to reach the utopia of paperless patient records is currently 2020, so for another 4 years our physical records will still need to be transferred physically if we move to another practice. Given the ransomware attacks, breaches and hacks already prevalent within not only the NHS but across all organisations and business sectors, you have to hope that greater care will be taken with our digital records than we are currently seeing with our physical records.

What I find interesting is that Capita, according to a report from the BBC, has refused to recognise these claims. If that is the case, you have to ask why, only last week, Health minister Nicola Blackwood told MPs that she expects Capita to consider “compensation as an option” and stated that Capita had been ‘inadequately prepared’ to take over the primary care support services contract earlier this year. She also made it plain that there should have been greater scrutiny of Capita’s competence in delivering the contract.

A Capita spokeswoman said: ‘NHS England contracted Capita to both streamline delivery of GP support services and make significant cost savings across what was a highly localised service with unstandardised, generally unmeasured and in some cases, uncompliant processes.

We have taken on this challenging initiative and we have openly apologised for the varied level of service experienced by some service users as these services were transitioned and are being transformed.’ She said the company did not recognise ‘whatsoever’ claims that thousands of patient records were missing.

Regardless of the above, what is absolutely clear is that whether you are transferring data either physically, like in this case, or electronically it is highly important to have appropriate security procedures in place. Keep records of the data you are transferring. Know that it has – or has not arrived. And, if you’re using digital transfers, the ICO has recommended encrypting not only your files but also the connection you are using to transfer them.

Now if you excuse me I’m just off to call my doctor’s surgery and see if they still are in possession of my medical notes!